Over at Black Hat USA 2012, security researcher Ralf-Phillip Weinmann demonstrated a vulnerability in several Android devices that utilized A-GPS to send illicit messages to the device which could, he explained, be used to send a report of the device's location any time an A-GPS message was sent or even be used to gain complete control of the device.

In describing the attack, Weinmann pointed out that, for example, a malicious WiFi network could instruct a phone to relay all future A-GPS requests, even once the device has left the WiFi network's range. This even further drives home the point that you should not join any networks you don't trust. As always, practice safe networking.

Of course, Weinmann said that manufacturers and software developers could solve the problem, we're assuming (read: hoping) via a software update, but that as of right now, none have implemented a fix for the attack. It highlights, however, the need for devices to be updated much more speedily. OTA updates are a great tool for pushing software out to devices, but the road between a manufacturer discovering a vulnerability and software being pushed through to the carriers and on to the devices can be a long one.

Hopefully we'll see this vulnerability patched before any real damage is done, though Weinmann says he "wouldn't count on it until you buy the next-gen device." Sad times.

Eric is a snarky technophile with a taste for the unusual. When he's not obsessing about Android, you can usually find him obsessing about movies, psychology, or the perfect energy drink. Eric weaves his own special blend of snark, satire, and comedy into all his articles.

Comments

pierre krafft

Over on XDA there is a mod for my phone that promises better GPS lock speed by changing AGPS options. The developer writes that using SSL slows the connection down and makes the GPS connect slower. I would think that's why they (most of them?) have disabled SSL. They trade security for speed. I don't think it is a mistake since the modifications are in one clear text file.